Automated Indicator Sharing


 

The Cybersecurity and Infrastructure Security Agency’s (CISA's) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, among the Federal Government; state, local, tribal, and territorial governments; and the private sector. Threat indicators are pieces of information like malicious Internet Protocol (IP) addresses or the sender's address of a phishing email (although they can also be much more complicated).

AIS is part of CISA's effort to create a cyber ecosystem where, as soon as a stakeholder observes an attempted compromise, the cyber threat indicator of compromise will be shared in real time with all AIS partners, protecting them from that particular threat. That means adversaries can only use an attack once, which increases their costs and ultimately reduces the prevalence of cyberattacks. While AIS will not eliminate sophisticated cyber threats, it will allow companies and federal agencies to concentrate on them more by clearing away less sophisticated attacks.

Ultimately, the goal is to commoditize cyber threat indicators through AIS so that tactical indicators are shared broadly among the public and private sector, enabling everyone to be better protected against cyberattacks.

We Need You!

The Federal Government is sharing indicators through AIS—but we always need more private sector companies to join to receive indicators and to share indicators with us!

As you give us feedback about AIS, we will update it to make it even more useful to you.

How AIS Works

AIS participants connect to a CISA-managed system that allows bidirectional sharing of cyber threat indicators. A server housed at each participant’s location allows the participating organization to exchange indicators with CISA. Participants will not only receive CISA-developed indicators but can also share indicators they have observed in their own network defense efforts, which CISA will then share with all AIS participants.

Participants who share indicators through AIS will not be identified as the source of those indicators to other participants unless they affirmatively consent to the disclosure of their identities. In other words, a participant remains anonymous unless that participant wants CISA to share its name with other participants.

Indicators are not validated by CISA as the emphasis is on velocity and volume: AIS partners agree to vet the indicators they receive through AIS, so CISA’s goal is to share as many indicators as possible, as quickly as possible. However, when CISA has useful information about an indicator, it will assign a reputation score to the indicator.

AIS leverages industry standards for machine-to-machine communication through the sharing of Structured Threat Information Exchange (STIX) files through the Trusted Automated eXchange of Indicator Information (TAXII™). The Department of Homeland Security (DHS) initiated the development of these industry standards in 2012 and licensed them to the Organization for the Advancement of Structured Information Standards in 2015 for their continued evolution. Any organization participating in AIS must be able to communicate using these machine-to-machine specifications.

Automated Indicator Sharing (AIS) 2.0 builds on the foundations set over the past five years with cyber threat indicator sharing and introduces a more robust machine-readable format; STIX 2.1 along with a more flexible delivery mechanism; TAXII 2.1. Both TAXI 2.1 and STIX 2.1 reflect the latest community defined standard on threat data sharing. Stakeholders can now share critical context within the STIX data, i.e., the Mitre AT&CK techniques. AIS 2.0 also introduces several new key features, including:

1. Automated Score and Feedback for all indicators, which allows stakeholders to organize and prioritize indicators based on numerical scores and help reduce false positives

2. TAXII filtering, which allows stakeholders to customize their AIS data feeds to ensure they only receive the types and quality of data they want to use tactically to help defend their network environment

3. Ability to adopt the latest framework for cyber threat sharing (STIX 2.1 (JSON-based)) and aims to increase sharing across both federal and non-federal communities to enable better community awareness of cyber threats

The Cybersecurity Act of 2015

AIS is available for free through CISA Central, a 24/7 cyber situational awareness, incident response, and management center that was designated as the central hub for the sharing of cyber threat indicators between the private sector and the Federal Government by the Cybersecurity Act of 2015. This legislation also grants liability protection and other protections to companies that share indicators through AIS.

As mandated by the Cybersecurity Act of 2015, CISA certified the operability of AIS in March 2016 and released guidance to help non-federal entities share cyber threat indicators with the Federal Government.

Privacy Protections

CISA has taken careful measures to ensure that appropriate privacy and civil liberties protections are implemented in AIS and are regularly tested.

To ensure that personally identifiable information (PII) is protected, AIS has processes that:

  • perform automated analyses and technical mitigations to delete PII that is not directly related to a cyber threat;
  • incorporate elements of human review on select fields of certain indicators to ensure that automated processes are functioning appropriately;
  • minimize the amount of data included in an indicator to information that is directly related to a cyber threat;
  • retain only the information needed to address cyber threats; and
  • ensure that any information collected is used only for network defense or limited law enforcement purposes.

DHS has published a Privacy Impact Assessment of AIS.

How to Participate in AIS

AIS is available for free to: all private sector entities; federal departments and agencies; state, local, tribal, and territorial governments; information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs); and foreign partners and companies.

Steps

    1. Contact cyberservices@cisa.dhs.gov (engagement information) or taxiiadmins@us-cert.gov (technical assistance during onboarding).
    2. Agree to the short Terms of Use for non-federal organizations or the Multilateral Information Sharing Agreement (MISA) for federal organizations.
    3. Get a STIX/TAXII capability: use an open source TAXII client, provided by DHS or others in the community (e.g., ISACs, ISAOs), or obtain access via a commercial solution.
    4. Purchase a Public Key Infrastructure (PKI) certificate from a Federal Bridge Certificate Authority.
    5. Sign an Interconnection Security Agreement and provide your IP address to CISA.

Please email CISAServiceDesk@us-cert.gov for additional information and to join AIS.

To view the guidance documents and learn more about AIS and the sharing of cyber threat indicators, visit www.us-cert.gov/ais.

How to Submit Indicators

DHS also offers opportunities to share cyber threat indicators and defensive measures via web form and email. Access the web form here.

Email cyber threat indicators and defensive measures to DHS at cisaservicedesk@hq.dhs.gov and please provide the following fields for emailed indicators.

  • Type: either indicator or defensive measure
  • Valid time of incident or knowledge of topic
  • Indicate tactics, techniques, and procedures (TTP), even if pointing to a very simple TTP with just a title
  • A confidence assertion regarding the level of confidence in the value of the indicator (e.g. high, medium, low)

ISACs - ISAOs

MS-ISAC  

E-ISAC

Etc.  More ISACs to follow

AIS 1.0 Documents:

The Automated Indicator Sharing (AIS) capability has a list of documentation including:

AIS Terms of Use – The TOU give the basic rules and responsibilities for connecting to the TAXII Server as well as some basic terminology that is used in the program.

AIS ACS Marking Guidance – (For our Federal Customers) This document expects the Federal sharing community reader to have some familiarity with AIS, STIX, and xml and wish to create and mark STIX documents in xml for sharing with AIS.

AIS Brokering System Description – (For our Federal Customers) The AIS Brokering Document provides significant detail on the brokering functions provided by DHS, this document provides additional guidance and examples specifically for Federal entities to mark information with ACS markings that they intend to share with the non-Federal and Federal entities via AIS.

AIS Interconnection Agreement - The Interconnect Document describes general responsibilities on both sides to ensure the Trusted Automated Exchange of Indicator Information (TAXII) connectivity is properly secured and we know who to reach out to for alerting of maintenance windows or in case of suspicious activity on the server.

Please complete this with Point of Contact information so we can engage with the right security staff on your side. The Interconnect Document describes general responsibilities on both sides to ensure the Trusted Automated Exchange of Indicator Information (TAXII) connectivity is properly secured and we know who to reach out to for alerting of maintenance windows or in case of suspicious activity on the server.

AIS Submission Guidance: The Submission Guidance provides details for crafting cyber threat indicators in Structured Threat Information Expression (STIX) format, along with explanation of how to use Traffic Light Protocol (TLP). In Appendix A, all the STIX indicator fields from the AIS profile are included with information and examples for each. In addition, there are several examples of STIX indicators attached.

AIS Submission Guidance Appendix A - In Appendix A, all the STIX indicator fields from the AIS profile are included with information and examples for each. In addition, there are several examples of STIX indicators attached.

The On-boarding Frequently Asked Questions (FAQ): The FAQ provides the TAXII connectivity URL and explains the types of PKI certificates needed to connect and suggestions on where to purchase them if you do not have already.

Visit the Automated Indicator Sharing publication page to view all legacy documents.

Was this document helpful?  Yes  |  Somewhat  |  No